Krebs on Security

In-depth security news and investigation

What’s in a Boarding Pass Barcode? A Lot

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

An older Delta boarding pass with a bar code that does not include a frequent flyer number. Source: IATA.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information. ‘

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.

After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)

The readout from the barcode on Cory’s friend’s boarding pass (redacted).

United Airlines seems to treat its customers’ frequent flyer numbers as secret access codes. For example, if you’re looking for your United Mileage Plus number, and you don’t have the original document or member card they mailed to you, good luck finding this information in your email correspondence with the company. When United does include this code in correspondence, all but the last three characters are replaced with asterisks. The same is true with United’s boarding passes. However, the full Mileage Plus number is available if you take the time to decode the barcode on a boarding pass.

Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader.

Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document (PDF) from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms.

This entry was posted on Tuesday, October 6th, 2015 at 2:57 pm and is filed under A Little Sunshine, Latest Warnings.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

124 comments

Did anyone ever answer this? Having just returned from an international trip, I’d like to try it. But before I do I’d like to know what that site hangs on to. Catch-22. I want to see if there’s any PII on my boarding passes but without trying the site I won’t know.

The PreCheck indicator is on the boarding pass (in the “selectee” field), but PreCheck boarding passes (as well as boarding passes on your phone) need to be digitally signed. I believe the “selectee” field encodes the response returned by the DHS APIS system. A 0 means normal/cleared, a 1 means “inhibited” (i.e. on the No-Fly List), a 2 means “selectee,” and a 3 means “TSA PreCheck.” (A 4 indicates insufficient passenger information.)

I believe the airlines are supposed to generate these signatures using an HSM, but I would not be surprised if someone found a vulnerability.

“I believe the “selectee” field encodes the response returned by the DHS APIS system. A 0 means normal/cleared, a 1 means “inhibited” (i.e. on the No-Fly List) …”

Finally, a way to find out whether one’s on the no-fly list or not without having to go to an airport attempting to fly somewhere! :-O

Kind of stunning. I wonder if any of the kids implementing stuff these days have any clue as to what they’re doing or how any of this !@#$ works. And this is including Lufthansa, of whom I’d expect far better.

…yes, much ado is made about the common data elements, EXCEPT the key one (Star Alliance – Frequent Flyer Number) isn’t anywhere on the plaintext boarding pass (the author redacted all but the first three characters, so tell me where you find “GJ0” printed in plaintext on the boarding pass?)

Same with the RecordKey, Airport Codes, Airline Codes and Flight Number (some of that could be searched up online, but having it provided for you makes this trivial. Trivial = ripe for picking).

So, here’s the challenge, scoffers. Using only the plain data on the boarding pass, log into this guy’s Star Alliance frequent flyer account.

The problem solved by including the FFN (and some other data) in the bar code sans encryption is that of interline or alliance travel, particularly that forced by IRROPS. There’s a secured data block supported in the IATA spec, but putting FFNs in that wouldn’t help 5E read ZQ’s data during one of those scenarios.

Treating FFNs as “secret magic numbers” is as bad an idea as that of using Social Security numbers as database foreign keys–an idea that showed up during the 1980s–the repercussions of which we’re still feeling today. As was said elsewhere, this says more about the security on airline websites than it does about the IATA bar code standard.

This is why I collect and shred them at the end of the trip (I had no idea this much information was on it, but I am paranoid and assumed the worst 😉

So my question is – is the problem that qr/bar code is directly linked to too much personal information or that there are services that present all this data to the public instead of just the name the passenger? Sounds like a combination of both. The QR/bar code should be flight specific (or maybe at worst, trip specific), and only have the passenger name. I don’t see why the rewards numbers need to be directly linked to the code (should require another lookup based on a uid or passenger name).

“””
After that, the site asks for the answer to a pre-selected secret question. The question in the case of Corey’s friend was “What is your Mother’s maiden name?” That information can often be gleaned by merely perusing someone’s social networking pages (e.g., does your aunt or uncle on your mom’s side have your mother’s maiden name as their last name? If so, are they friends with you on Facebook?)
“””

As if you needed another reason to NOT be friends with your parents on social networks 😀 !

It’s a good reason to leave blank all the fields in your Facebook profile (that FB is constanly egging me on to fill in), and to also be more circumspect about posting the minutiae of your past and present life.

I’ve used the electronic boarding pass, but eventually stopped. I will often turn my phone off and leave it off for the duration of my trip. If I use electronic boarding passes, I have to dig it out between flights.

But, the worst was when my flight was delayed. By the time we boarded, the electrnoic boarding pass had “expired.” (Your flight already left, we cannot retrieve the boarding pass for this flight.)

A PITA to get a second copy of the boarding pass in the middle of the boarding process.

This is exactly why it’s good to have 2 copies of that electronic boarding pass. The first you choose is the one you’ve added to your Passbook app (assuming all of you security aware folks use iPhones, not Android devices). Those passes remain regardless of age until you delete them. Then the second copy, the backup, is in the airline’s mobile app.

Can’t any authorized ticket agent at the airlines print one up? Is there a limit to how many could be printed by the airline computer system- such as only one per passenger per flight? Now seems like something that could be easily used illegitimately.

This seems to be a good way to gain information for social engineering.

I tried to replicate the scenario with a recent boarding pass of mine and there seem to be two errors in the text:

1. name and record locator only give you access to the flights on lufthansa.com. It does not give you access to the entire account as the text claims (i.e. no possibility to spend miles).
2. the forgotton-pin-function on united.com works only for United and not for all Star Alliance accounts. Some Star Alliance carriers might have similar mechanisms, but at least for Lufthansa this does not seem to work.

Still there is a lot of information that can be gained by having access to boarding passes.

“… but if a bad guy knows about your future flights then he would also know when to break into your house.”

Or, when to show up at the airport in order to assassinate you. I wonder how Dick Chaney deals with his boarding passes. He seems to have a lot of detractors these days. If this’s a potential problem for Chaney, lots of other high value targets are as well, pretty much any who use commercial airlines.

I know nothing about security but this scares me a little. I haven’t really tried to keep much of my life a secret but after having my credit card details stolen while still IN my wallet IN my pocket I’m starting to take things a little more seriously.

I fly a lot and have always shredded my used board passes. But I’ve wondered why in an airport gate when you exchange a boarding pass, e.g. seat change, upgrade, they just drop the old one in a wastebasket. Between flights that wastebasket is unattended.

Also, I’ve always questioned how easy it is to access a flight itinerary record. I think the idea behind easy access is that, say, a hotel concierge or assistant can use just the locator and last name to call up a reservation to check the client/boss in for a flight, print board passes, etc. without logging on with full credentials.

Yet another reason to stop sharing so much information on social media. I will never understand how people can be so oblivious to the dangers of sharing things such as a boarding pass on their social media account. The amount of information people share on their social media accounts makes the information gathering process for the bad guys a piece of cake.

Although I have to admit I have never seen anyone share a picture of their boarding pass, but I would not have not much of it in regards to security.

I have just tried to use the only somehow hidden information from the boarding pass (the M&M membership number) to reset my PIN, as explained in the article.

As expected, this failed as the email address was not correct.

I can imagine trying to social-engineer my way though the M&M phone help desk but the information I would use would be known from the ticket itself (except for the M&M number, which is not a secret anyway)

It’s astonishing how careless airlines are with information. A few years ago I was bumped off a US Air flight. After the ground crew left me stranded and moved off to work another gate I noticed that someone had dropped the flight manifest on the ground – the full passenger list (including who had checked in and who had not). This information is not supposed to be released while the flight is in the air and here it was on the floor. It also had all kinds of personal info on each passenger (including me). I’ve still got it around here somewhere.

Considering that the average American (at least 50%) don’t make enough money to pay any taxes and that over 60% are on some kind of freebee handout – one wonders who would even care.
Can you imagine sorting through all those air tickets until you finally find some one of substance that will make it worth your while.
In the old days you could just pick up the phone book and get anyones home address and phone number.
If You think I am some kind of crazy— leave this site and google your own name.
ooooops